2016 has seen widespread use of a new type of ransomware known as MSIL / Samas.A. Attackers are actively scanning the Internet for vulnerable systems, and exploiting systems to gain access to the internal network. One tool being used is JexBoss, this tool discovers and exploits vulnerable JBoss servers.
What is the issue?
Once inside the network, the ransomware queries Active Directory for a list of Windows computers. The ransomware then “pings” the computers to compile a list of active hosts. Public and private encryption keys are generated based upon the hostnames. The private keys are sent to the attacker.
The ransomware and corresponding public key are distributed to all of the active computers on the network. The ransomware launches in a coordinated attack hitting the entire network in a few minutes. Once active, the volume shadow copies of the computers are deleted, and files on the computer are encrypted. Backup related files are specifically sought out for encryption / deletion.
Previous vision of ransomware infected one system which encrypted the files on the network. There was only one key needed to decrypt all of the files. Now every active computer on the network has a unique encryption key. The criminals know how many devices have been infected, and can charge a ransom amount relative to the size of the network. Ransom has increased from $400 - $600 to tens of thousands of dollars.
Should we be concerned?
The FBI has put out an alert seeking help from businesses and security experts for emergency assistance in a ransomware investigation.
What types of systems are vulnerable?
All supported releases of Microsoft Windows operating systems are vulnerable.
For more information:
- Ensure that your operating systems and applications are up-to-date with patches. Malware typically exploits unpatched third party software. MSIL/Samas.A” searches the Internet for vulnerable systems to exploit.
- If you have systems on the Internet where users enter credentials be sure to encrypt the traffic and require multi-factor authentication.
- Have a backup process that maintains current backups of all your important data. The backups should be “air-gapped” (isolated form the LAN) or stored on a locked down vLAN. Test the restore process frequently. If you are infected with ransomware being able to restore from backup may be the only thing that saves you from paying the ransom.
- Review your Incident Response plan and procedures. Practice your response.
- Have a management discussion regarding payment of ransom (e.g. situations where the organization might pay ransom). If payment is a possibility, consider proactively establishing a Bitcoin account at a Bitcoin Exchange.
Are you prepared?
Being prepared to confidently respond to and investigate cyber-attacks is essential in today's threat environment. We've developed our Cyber Forensics Readiness Program to vie you that confidence. The program prepares Incident Responders and IT personnel to quickly and cost-effectively capture and maintain evidence in a forensically sound manner. The training is supported by semi-annual collection exercises and an on-going relationship with experienced Cyber Forensic Investigators.